Plataforma
nodejs
Componente
serialize-to-js
Corrigido em
3.0.1
3.0.1
CVE-2019-16772 describes a Cross-Site Scripting (XSS) vulnerability found in the serialize-to-js Node.js package. This flaw arises from the package's failure to properly sanitize serialized regular expressions, potentially allowing attackers to inject malicious scripts. Versions prior to 3.0.1 are affected, and upgrading to version 3.0.1 or later resolves the issue.
An attacker exploiting this vulnerability could inject arbitrary JavaScript code into a web application using the serialize-to-js package. This could lead to a variety of malicious actions, including stealing user cookies, redirecting users to phishing sites, or defacing the website. The impact is particularly severe if the application uses the serialized data in a context where it is rendered without proper escaping. While the vulnerability does not directly affect Node.js applications themselves, it poses a risk to applications that utilize serialize-to-js to serialize data for client-side use.
CVE-2019-16772 was publicly disclosed on December 6, 2019. There are currently no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely distributed, but the nature of XSS vulnerabilities makes it likely that a PoC could be developed relatively easily. The vulnerability is not listed on the CISA KEV catalog.
Applications built with Node.js that utilize the serialize-to-js package for data serialization, particularly those where the serialized data is rendered on the client-side without proper escaping, are at risk. Developers who have not recently reviewed their dependencies are also at increased risk.
• nodejs / server:
npm list serialize-to-jsIf the output shows a version less than 3.0.1, the system is vulnerable. • nodejs / server:
npm audit serialize-to-jsThis command will identify vulnerable versions and suggest upgrades.
• generic web: Examine application code for usage of serialize-to-js and ensure proper input validation and output encoding are implemented.
disclosure
Status do Exploit
EPSS
0.30% (percentil 53%)
Vetor CVSS
The primary mitigation for CVE-2019-16772 is to upgrade the serialize-to-js package to version 3.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict input validation and output encoding on any data serialized and deserialized using this package. While a direct WAF rule is unlikely, ensuring proper escaping of user-supplied data within the application can help prevent XSS attacks. There are no specific Sigma or YARA rules applicable to this vulnerability.
Atualize o pacote serialize-to-js para a versão 3.0.1 ou superior. Isso corrige a vulnerabilidade XSS ao mitigar corretamente os caracteres inseguros em expressões regulares serializadas.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2019-16772 is a Cross-Site Scripting (XSS) vulnerability in the serialize-to-js Node.js package, caused by improper sanitization of serialized regular expressions.
You are affected if your project uses serialize-to-js versions prior to 3.0.1. Check your dependencies using npm list serialize-to-js or npm audit serialize-to-js.
Upgrade the serialize-to-js package to version 3.0.1 or later using npm install serialize-to-js@latest.
There are currently no known active exploitation campaigns targeting CVE-2019-16772, but the vulnerability's nature makes it a potential target.
Refer to the npm advisory for CVE-2019-16772: https://www.npmjs.com/advisories/1201
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.